FortiOS - Release Notes

Version 6.0.6
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: techdoc@fortinet.com

July 18, 2019

FortiOS 6.0.6 Release Notes
01-606-563569-20190718
 TABLE OF CONTENTS

Change Log 4
Introduction 5
Supported models 5
Special branch supported models 6
Special Notices 7
Common vulnerabilities and exposures 7
WAN optimization and web caching functions 7
FortiGuard Security Rating Service 8
Built-in certificate 9
FortiGate and FortiWiFi-92D hardware limitation 9
FG-900D and FG-1000D 9
FortiClient (Mac OS X) SSL VPN requirements 9
FortiClient profile changes 10
Use of dedicated management interfaces (mgmt1 and mgmt2) 10
Using FortiAnalyzer units running older versions 10
Upgrade Information 11
Fortinet Security Fabric upgrade 11
Minimum version of TLS services automatically changed 11
Downgrading to previous firmware versions 12
Amazon AWS enhanced networking compatibility issue 12
FortiGate VM firmware 13
Firmware image checksums 13
FortiGuard update-server-location setting 14
Product Integration and Support 15
Language support 17
SSL VPN support 17
SSL VPN standalone client 17
SSL VPN web mode 18
SSL VPN host compatibility list 18
Resolved Issues 20
Known Issues 21
Limitations 24
Citrix XenServer limitations 24
Open source XenServer limitations 24

FortiOS Release Notes Fortinet Technologies Inc.

Change Log

Date Change Description

2019-07-18 Initial release.

FortiOS Release Notes Fortinet Technologies Inc.

Introduction

This document provides the following information for FortiOS 6.0.6 build 0272:
l Special Notices
l Upgrade Information
l Product Integration and Support
l Resolved Issues
l Known Issues
l Limitations
For FortiOS documentation, see the Fortinet Document Library.

Supported models

FortiOS 6.0.6 supports the following models.

FortiGate FG-30D, FG-30D-POE, FG-30E, FG-30E_3G4G_INTL, FG-30E_3G4G_NAM, FG-50E,

FG-51E, FG-52E, FG-60D, FG-60D-POE, FG-60E, FG-60E-DSL, FG-60E-DSLJ,
FG-60E-POE, FG-61E, FG-70D, FG-70D-POE, FG-80D, FG-80E, FG-80E-POE, FG-81E,
FG-81E-POE, FG-90D, FG-90D-POE, FG-90E, FG-92D, FG-94D-POE, FG-98D-POE, FG-
100D, FG-100E, FG-100EF, FG-101E, FG-140D, FG-140D-POE, FG-140E, FG-140E-POE,
FG- 200D, FG-200D-POE, FG-200E, FG-201E, FG-240D, FG-240D-POE, FG-280D-POE,
FG-300D, FG-300E, FG-301E, FG-400D, FG-500D, FG-500E, FG-501E, FG-600D,
FG-800D, FG-900D, FG-1000D, FG-1200D, FG-1500D, FG-1500DT, FG-2000E, FG-2500E,
FG-3000D, FG-3100D, FG-3200D, FG-3700D, FG-3800D, FG-3810D, FG-3815D,
FG-3960E, FG-3980E, FG-5001D, FG-5001E, FG-5001E1

FortiWiFi FWF-30D, FWF-30D-POE, FWF-30E, FWF-30E_3G4G_INTL, FWF-30E_3G4G_NAM,

FWF-50E, FWF-50E-2R, FWF-51E, FWF-60D, FWF-60D-POE, FWF-60E, FWF-60E-DSL,
FWF-60E-DSLJ, FWF-61E, FWF-90D, FWF-90D-POE, FWF-92D

FortiGate Rugged FGR-30D, FGR-35D, FGR-60D, FGR-90D

FortiGate VM FG-SVM, FG-VM64, FG-VM64-ALI, FG-VM64-ALIONDEMAND, FG-VM64-AWS,

FG-VM64-AWSONDEMAND, FG-VM64-HV, FG-VM64-KVM, FG-VMX, FG-VM64-XEN,
FG-VM64-GCP, FG-VM64-OPC, FG-VM64-GCPONDEMAND

Pay-as-you-go FOS-VM64, FOS-VM64-KVM, FOS-VM64-XEN

images

FortiOS Carrier FortiOS Carrier 6.0.6 images are delivered upon request and are not available on the
customer support firmware download page.

FortiOS Release Notes Fortinet Technologies Inc.

 Introduction 6

Special branch supported models

The following models are released on a special branch of FortiOS 6.0.6. To confirm that you are running the correct
build, run the CLI command get system status and check that the Branch point field shows 0272.

FG-30E-MG is released on build 5365.

FG-100F is released on build 6319.

FG-101F is released on build 6319.

FG-400E is released on build 6325.

FG-401E is released on build 6325.

FG-600E is released on build 6325.

FG-601E is released on build 6325.

FG-3400E is released on build 6326.

FG-3401E is released on build 6326.

FG-3600E is released on build 6326.

FG-3601E is released on build 6326.

FG-VM64-AZURE is released on build 5363.

FG-VM64-AZUREONDEMAND is released on build 5363.

FG-VM64-RAXONDEMAND is released on build 8338.

FortiOS Release Notes Fortinet Technologies Inc.

Special Notices

l Common vulnerabilities and exposures on page 7

l WAN optimization and web caching functions
l FortiGuard Security Rating Service
l Built-in certificate
l FortiGate and FortiWiFi-92D hardware limitation
l FG-900D and FG-1000D
l FortiClient (Mac OS X) SSL VPN requirements
l FortiClient profile changes
l Use of dedicated management interfaces (mgmt1 and mgmt2)

Common vulnerabilities and exposures

FortiOS 6.0.6 is no longer vulnerable to the issue described in the following link - https://fortiguard.com/psirt/FG-IR-19-
144.

WAN optimization and web caching functions

WAN optimization and web caching functions are removed from 60D and 90D series platforms, starting from 6.0.0 due
to their limited disk size. Platforms affected are:
l FGT-60D
l FGT-60D-POE
l FWF-60D
l FWF-60D-POE
l FGT-90D
l FGT-90D-POE
l FWF-90D
l FWF-90D-POE
l FGT-94D-POE
Upon upgrading from 5.6 patches to 6.0.0, diagnose debug config-error-log read will show command
parse error about wanopt and webcache settings.

FortiOS Release Notes Fortinet Technologies Inc.

Special Notices 8

FortiGuard Security Rating Service

Not all FortiGate models can support running the FortiGuard Security Rating Service as a Fabric "root" device. The
following FortiGate platforms can run the FortiGuard Security Rating Service when added to an existing Fortinet
Security Fabric managed by a supported FortiGate model:
l FGR-30D-A
l FGR-30D
l FGR-35D
l FGR-60D
l FGR-90D
l FGT-200D
l FGT-200D-POE
l FGT-240D
l FGT-240D-POE
l FGT-280D-POE
l FGT-30D
l FGT-30D-POE
l FGT-30E
l FGT-30E-MI
l FGT-30E-MN
l FGT-50E
l FGT-51E
l FGT-52E
l FGT-60D
l FGT-60D-POE
l FGT-70D
l FGT-70D-POE
l FGT-90D
l FGT-90D-POE
l FGT-94D-POE
l FGT-98D-POE
l FWF-30D
l FWF-30D-POE
l FWF-30E
l FWF-30E-MI
l FWF-30E-MN
l FWF-50E-2R
l FWF-50E
l FWF-51E
l FWF-60D
l FWF-60D-POE
l FWF-90D
l FWF-90D-POE
l FWF-92D

FortiOS Release Notes Fortinet Technologies Inc.

 Special Notices 9

Built-in certificate

FortiGate and FortiWiFi D-series and above have a built in Fortinet_Factory certificate that uses a 2048-bit certificate
with the 14 DH group.

FortiGate and FortiWiFi-92D hardware limitation

FortiOS 5.4.0 reported an issue with the FG-92D model in the Special Notices > FG-92D High Availability in Interface
Mode section of the release notes. Those issues, which were related to the use of port 1 through 14, include:
l PPPoE failing, HA failing to form.
l IPv6 packets being dropped.
l FortiSwitch devices failing to be discovered.
l Spanning tree loops may result depending on the network topology.
FG-92D and FWF-92D do not support STP. These issues have been improved in FortiOS 5.4.1, but with some side
effects with the introduction of a new command, which is enabled by default:
config global
set hw-switch-ether-filter <enable | disable>

When the command is enabled:

l ARP (0x0806), IPv4 (0x0800), and VLAN (0x8100) packets are allowed.
l BPDUs are dropped and therefore no STP loop results.
l PPPoE packets are dropped.
l IPv6 packets are dropped.
l FortiSwitch devices are not discovered.
l HA may fail to form depending the network topology.

When the command is disabled:

l All packet types are allowed, but depending on the network topology, an STP loop may result.

FG-900D and FG-1000D

CAPWAP traffic will not offload if the ingress and egress traffic ports are on different NP6 chips. It will only offload if
both ingress and egress ports belong to the same NP6 chip.

FortiClient (Mac OS X) SSL VPN requirements

When using SSL VPN on Mac OS X 10.8, you must enable SSLv3 in FortiOS.

FortiOS Release Notes Fortinet Technologies Inc.

 Special Notices 10

FortiClient profile changes

With introduction of the Fortinet Security Fabric, FortiClient profiles will be updated on FortiGate. FortiClient profiles
and FortiGate are now primarily used for Endpoint Compliance, and FortiClient Enterprise Management Server (EMS) is
now used for FortiClient deployment and provisioning.
The FortiClient profile on FortiGate is for FortiClient features related to compliance, such as Antivirus, Web Filter,
Vulnerability Scan, and Application Firewall. You may set the Non-Compliance Action setting to Block or Warn.
FortiClient users can change their features locally to meet the FortiGate compliance criteria. You can also use
FortiClient EMS to centrally provision endpoints. The EMS also includes support for additional features, such as VPN
tunnels or other advanced options. For more information, see the FortiOS Handbook – Security Profiles.

Use of dedicated management interfaces (mgmt1 and mgmt2)

For optimum stability, use management ports (mgmt1 and mgmt2) for management traffic only. Do not use
management ports for general user traffic.

Using FortiAnalyzer units running older versions

When using FortiOS 6.0.6 with FortiAnalyzer units running 5.6.5 or lower, or 6.0.0-6.0.2, FortiAnalyzer might report
increased bandwidth and session counts if there are sessions that last longer than two minutes.
For accurate bandwidth and session counts, upgrade the FortiAnalyzer unit to 6.0.6.

FortiOS Release Notes Fortinet Technologies Inc.

Upgrade Information

Supported upgrade path information is available on the Fortinet Customer Service & Support site.

To view supported upgrade path information:

1. Go to https://support.fortinet.com.
2. From the Download menu, select Firmware Images.
3. Check that Select Product is FortiGate.
4. Click the Upgrade Path tab and select the following:
l Current Product
l Current FortiOS Version
l Upgrade To FortiOS Version
5. Click Go.

Fortinet Security Fabric upgrade

FortiOS 6.0.6 greatly increases the interoperability between other Fortinet products. This includes:
l FortiAnalyzer 6.0.0 and later
l FortiClient 6.0.0 and later
l FortiClient EMS 6.0.0 and later
l FortiAP 5.4.4 and later
l FortiSwitch 3.6.4 and later
Upgrade the firmware of each product in the correct order. This maintains network connectivity without the need to use
manual steps.
Before upgrading any product, you must read the FortiOS Security Fabric Upgrade Guide.

If Security Fabric is enabled, then all FortiGate devices must be upgraded to 6.0.6. When
Security Fabric is enabled, you cannot have some FortiGate devices running 6.0.6 and some
running 5.6.x.

Minimum version of TLS services automatically changed

For improved security, FortiOS 6.0.6 uses the ssl-min-proto-version option (under config system
global) to control the minimum SSL protocol version used in communication between FortiGate and third-party SSL
and TLS services.

FortiOS Release Notes Fortinet Technologies Inc.

Upgrade Information 12

When you upgrade to FortiOS 6.0.6 and later, the default ssl-min-proto-version option is TLS v1.2. The
following SSL and TLS services inherit global settings to use TLS v1.2 as the default. You can override these settings.
l Email server (config system email-server)
l Certificate (config vpn certificate setting)
l FortiSandbox (config system fortisandbox)
l FortiGuard (config log fortiguard setting)
l FortiAnalyzer (config log fortianalyzer setting)
l LDAP server (config user ldap)
l POP3 server (config user pop3)

Downgrading to previous firmware versions

Downgrading to previous firmware versions results in configuration loss on all models. Only the following settings are
retained:
l operation mode
l interface IP/management IP
l static route table
l DNS settings
l VDOM parameters/settings
l admin user account
l session helpers
l system access profiles
If you have long VDOM names, you must shorten the long VDOM names (maximum 11 characters) before
downgrading:
1. Back up your configuration.
2. In the backup configuration, replace all long VDOM names with its corresponding short VDOM name.
For example, replace edit <long_vdom_name>/<short_name> with edit <short_name>/<short_
name>.
3. Restore the configuration.
4. Perform the downgrade.

Amazon AWS enhanced networking compatibility issue

With this new enhancement, there is a compatibility issue with older AWS VM versions. After downgrading a 6.0.6
image to an older version, network connectivity is lost. Since AWS does not provide console access, you cannot recover
the downgraded image.
When downgrading from 6.0.6 to older versions, running the enhanced nic driver is not allowed. The following AWS
instances are affected:
l C3
l C4

FortiOS Release Notes Fortinet Technologies Inc.

Upgrade Information 13

l R3
l I2
l M4
l D2

FortiGate VM firmware

Fortinet provides FortiGate VM firmware images for the following virtual environments:

Citrix XenServer and Open Source XenServer

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.OpenXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
the QCOW2 file for Open Source XenServer.
l .out.CitrixXen.zip: Download the 64-bit package for a new FortiGate VM installation. This package
contains the Citrix XenServer Virtual Appliance (XVA), Virtual Hard Disk (VHD), and OVF files.

Linux KVM

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.kvm.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
QCOW2 that can be used by qemu.

Microsoft Hyper-V

l .out: Download the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .out.hyperv.zip: Download the 64-bit package for a new FortiGate VM installation. This package contains
three folders that can be imported by Hyper-V Manager on Hyper-V 2012. It also contains the file fortios.vhd in
the Virtual Hard Disks folder that can be manually added to the Hyper-V Manager.

VMware ESX and ESXi

l .out: Download either the 64-bit firmware image to upgrade your existing FortiGate VM installation.
l .ovf.zip: Download either the 64-bit package for a new FortiGate VM installation. This package contains Open
Virtualization Format (OVF) files for VMware and two Virtual Machine Disk Format (VMDK) files used by the OVF
file during deployment.

Firmware image checksums

The MD5 checksums for all Fortinet software and firmware releases are available at the Customer Service & Support
portal, https://support.fortinet.com. After logging in select Download > Firmware Image Checksums, enter the image
file name including the extension, and select Get Checksum Code.

FortiOS Release Notes Fortinet Technologies Inc.

Upgrade Information 14

FortiGuard update-server-location setting

The FortiGuard update-server-location default setting is different between hardware platforms and VMs. On
hardware platforms, the default is any. On VMs, the default is usa.
On VMs, after upgrading from 5.6.3 or earlier to 5.6.4 or later (including 6.0.0 or later), update-server-location
is set to usa.
If necessary, set update-server-location to use the nearest or low-latency FDS servers.

To set FortiGuard update-server-location:

config system fortiguard

set update-server-location [usa|any]
end

FortiOS Release Notes Fortinet Technologies Inc.

Product Integration and Support

The following table lists FortiOS 6.0.6 product integration and support information:

Web Browsers l Microsoft Edge 44

l Mozilla Firefox version 66
l Google Chrome version 73
l Apple Safari version 12.1
Other web browsers may function correctly, but are not supported by Fortinet.

Explicit Web Proxy Browser l Microsoft Edge 41

l Microsoft Internet Explorer version 11
l Mozilla Firefox version 59
l Google Chrome version 65
l Apple Safari version 9.1 (For Mac OS X)
Other web browsers may function correctly, but are not supported by Fortinet.

FortiManager See important compatibility information in . For the latest information, see
FortiManager compatibility with FortiOS in the Fortinet Document Library.
Upgrade FortiManager before upgrading FortiGate.

FortiAnalyzer See important compatibility information in . For the latest information, see
FortiAnalyzer compatibility with FortiOS in the Fortinet Document Library.
Upgrade FortiAnalyzer before upgrading FortiGate.

FortiClient: l 6.0.0
l Microsoft Windows See important compatibility information in Fortinet Security Fabric upgrade on
l Mac OS X page 11.
l Linux
If you're upgrading both FortiOS and FortiClient from 5.6 to 6.0, upgrade
FortiClient first to avoid compatibility issues.

FortiClient for Linux is supported on Ubuntu 16.04 and later, Red Hat 7.4 and
later, and CentOS 7.4 and later.

If you are using FortiClient only for IPsec VPN or SSL VPN, FortiClient version
5.6.0 and later are supported.

FortiClient iOS l 5.6.0 and later

FortiClient Android and l 5.4.2 and later

FortiClient VPN Android

FortiAP l 5.4.2 and later

l 5.6.0 and later

FortiAP-S l 5.4.3 and later

l 5.6.0 and later

FortiOS Release Notes Fortinet Technologies Inc.

Product Integration and Support 16

FortiSwitch OS l 3.6.9 and later

(FortiLink support)

FortiController l 5.2.5 and later

Supported models: FCTL-5103B, FCTL-5903C, FCTL-5913C

FortiSandbox l 2.3.3 and later

Fortinet Single Sign-On l 5.0 build 0276 and later (needed for FSSO agent support OU in group filters)
(FSSO) l Windows Server 2016 Datacenter
l Windows Server 2016 Standard
l Windows Server 2008 (32-bit and 64-bit)
l Windows Server 2008 R2 64-bit
l Windows Server 2012 Standard
l Windows Server 2012 R2 Standard
l Novell eDirectory 8.8

FortiExtender l 3.3.2, 4.0.0

AV Engine l 6.00019

IPS Engine l 4.00035

Virtualization Environments

Citrix l XenServer version 5.6 Service Pack 2

l XenServer version 6.0 and later

Linux KVM l RHEL 7.1/Ubuntu 12.04 and later

l CentOS 6.4 (qemu 0.12.1) and later

Microsoft l Hyper-V Server 2008 R2, 2012, 2012 R2, and 2016

Open Source l XenServer version 3.4.3

l XenServer version 4.1 and later

VMware l ESX versions 4.0 and 4.1

l ESXi versions 4.0, 4.1, 5.0, 5.1, 5.5, 6.0, 6.5, and 6.7

VM Series - SR-IOV The following NIC chipset cards are supported:

l Intel 82599
l Intel X540
l Intel X710/XL710

FortiOS Release Notes Fortinet Technologies Inc.

 Product Integration and Support 17

Language support

The following table lists language support information.

Language support

Language GUI

English ✔

Chinese (Simplified) ✔

Chinese (Traditional) ✔

French ✔

Japanese ✔

Korean ✔

Portuguese (Brazil) ✔

Spanish ✔

SSL VPN support

SSL VPN standalone client

The following table lists SSL VPN tunnel client standalone installer for the following operating systems.

Operating system and installers

Operating System Installer

Linux CentOS 6.5 / 7 (32-bit & 64-bit) 2336. Download from the Fortinet Developer Network:
Linux Ubuntu 16.04 (32-bit & 64-bit) https://fndn.fortinet.net.

Other operating systems may function correctly, but are not supported by Fortinet.

SSL VPN standalone client no longer supports the following operating systems:
l Microsoft Windows 7 (32-bit & 64-bit)
l Microsoft Windows 8 / 8.1 (32-bit & 64-bit)
l Microsoft Windows 10 (64-bit)
l Virtual Desktop for Microsoft Windows 7 SP1 (32-bit)

FortiOS Release Notes Fortinet Technologies Inc.

 Product Integration and Support 18

SSL VPN web mode

The following table lists the operating systems and web browsers supported by SSL VPN web mode.

Supported operating systems and web browsers

Operating System Web Browser

Microsoft Windows 7 SP1 (32-bit & 64-bit) Mozilla Firefox version 66

Google Chrome version 73

Microsoft Windows 10 (64-bit) Microsoft Edge

Mozilla Firefox version 66
Google Chrome version 73

Linux Ubuntu 16.04 / 18.04 (32-bit & 64-bit) Mozilla Firefox version 66

MacOS High Sierra 10.13.6 Apple Safari version 12

Mozilla Firefox version 66
Google Chrome version 72

iOS Apple Safari

Mozilla Firefox
Google Chrome

Android Mozilla Firefox

Google Chrome

Other operating systems and web browsers may function correctly, but are not supported by Fortinet.

SSL VPN host compatibility list

The following table lists the antivirus and firewall client software packages that are supported.

Supported Microsoft Windows XP antivirus and firewall software

Product Antivirus Firewall

Symantec Endpoint Protection 11 ✔ ✔

Kaspersky Antivirus 2009 ✔

McAfee Security Center 8.1 ✔ ✔

Trend Micro Internet Security Pro ✔ ✔

F-Secure Internet Security 2009 ✔ ✔

FortiOS Release Notes Fortinet Technologies Inc.

Product Integration and Support 19

Supported Microsoft Windows 7 32-bit antivirus and firewall software

Product Antivirus Firewall

CA Internet Security Suite Plus Software ✔ ✔

AVG Internet Security 2011

F-Secure Internet Security 2011 ✔ ✔

Kaspersky Internet Security 2011 ✔ ✔

McAfee Internet Security 2011 ✔ ✔

Norton 360™ Version 4.0 ✔ ✔

Norton™ Internet Security 2011 ✔ ✔

Panda Internet Security 2011 ✔ ✔

Sophos Security Suite ✔ ✔

Trend Micro Titanium Internet Security ✔ ✔

ZoneAlarm Security Suite ✔ ✔

Symantec Endpoint Protection Small ✔ ✔

Business Edition 12.0

FortiOS Release Notes Fortinet Technologies Inc.

Resolved Issues

The following issues have been fixed in version 6.0.6. For inquires about a particular bug, please contact Customer
Service & Support.

VM

Bug ID Description

548366 Azure SDN fabric connector is showing status down.

Common Vulnerabilities and Exposures

Visit https://fortiguard.com/psirt for more information.

Vulnerability

FortiOS 6.0.6 is no longer vulnerable to the issue described in the following link - https://fortiguard.com/psirt/FG-IR-
19-144.

FortiOS Release Notes Fortinet Technologies Inc.

Known Issues

The following issues have been identified in version 6.0.6. For inquires about a particular bug or to report a bug, please
contact Customer Service & Support.

Application Control

Bug ID Description

435951 Traffic keeps going through the DENY NGFW policy configured with URL category.

488369 DSCP/ToS is not implemented in shaping-policy yet.

FortiView

Bug ID Description

403229 In FortiView, display from FortiAnalyzer, the upstream FortiGate cannot drill down to final level for
downstream traffic.

411368 In FortiView with FortiAnalyzer, the combined MAC address is displayed in the Device field.

525702 FortiView does not support auto update in real-time view and shows unscanned application.

526956 FortiView widgets get deleted on upgrading to B222.

527540 In many FortiView pages, the Quarantine Host option is not clickable on a registered device.

528483 FortiView > Destination page filter destination owner cannot filter out correct destination in real
time view.

554791 Policy direct hyperlink from historical FortiView sessions does not highlight policy.

528767 In FortiView > multiple charts, Previous Time Periods in custom period is missing.

GUI

Bug ID Description

442231 Link cannot show different colors based on link usage legend in logical topology real time view.

451776 Admin GUI has limit of 10 characters for OTP.

508015 Edit Policy from GUI changes fsso setting to disabled.

516415 Edit Disclaimer Message button is missing on Proxy Policy page.

FortiOS Release Notes Fortinet Technologies Inc.

Known Issues 22

HA

Bug ID Description

479987 FG MGMT1 does not authenticate Admin RADIUS users through primary unit (secondary unit
works).

539155 HA master does not send SNMP trap when plugging cable into interface that is set as ha-mgmt-
interfaces.

Intrusion Prevention

Bug ID Description

445113 IPS engine 3.428 on FortiGate sometimes cannot detect Psiphon packets that iscan can detect.

IPsec VPN

Bug ID Description

469798 The interface shaping with egress shaping profile doesn't work for offloaded traffic.

481201 The OCVPN feature is delayed about one day after registering on FortiCare.

Log & Report

Bug ID Description

412649 In NGFW Policy mode, FortiGate does not create web filter logs.

SSL VPN

Bug ID Description

405239 URL rewritten incorrectly for a specific page in application server.

Switch Controller

Bug ID Description

357360 DHCP snooping may not work on IPv6.

528983 When IGMP snooping is enabled on a VLAN, reserved multicast packets are forwarded twice on the
124D, 224D-FPOE, 248D, 424D, 424D-POE, 424D-FPOE, 448D, 448DPOE, 448D-FPOE, 224E,
224E-POE, 248E-POE, 248E-FPOE models.

FortiOS Release Notes Fortinet Technologies Inc.

Known Issues 23

System

Bug ID Description

295292 If private-data-encryption is enabled, when restoring config to a FortiGate, the FortiGate

may not prompt the user to enter the key.

472843 When FortiManager is set for DM = set verify-install-disable, FortiGate does not
always save script changes.

474132 FG-51E hang under stress test since build 0050.

Upgrade

Bug ID Description

470575 After upgrading from 5.6.3, g-sniffer-profile and sniffer-profile exist for IPS and
web filter.

473075 When upgrading, multicast policies are lost when there is a zone member as interface.

481408 When upgrading from 5.6.3 to 6.0.0, the IPv6 policy is lost if there is SD-WAN member as
interface.

494217 Peer user SSL VPN personal bookmarks do not show when upgrade to 6.0.1.
Workaround: Use CLI to rename the user bookmark to the new name.

FortiOS Release Notes Fortinet Technologies Inc.

Limitations

Citrix XenServer limitations

The following limitations apply to Citrix XenServer installations:

l XenTools installation is not supported.
l FortiGate-VM can be imported or deployed in only the following three formats:
l XVA (recommended)
l VHD
l OVF
l The XVA format comes pre-configured with default configurations for VM name, virtual CPU, memory, and virtual
NIC. Other formats will require manual configuration before the first power on process.

Open source XenServer limitations

When using Linux Ubuntu version 11.10, XenServer version 4.1.0, and libvir version 0.9.2, importing issues may arise
when using the QCOW2 format and existing HDA issues.

FortiOS Release Notes Fortinet Technologies Inc.

Copyright© 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.